b' Department of Health and Human Services\n                   OFFICE OF\n              INSPECTOR GENERAL\n\n\n\n\nHEALTH INSURANCE MARKETPLACES\nGENERALLY PROTECTED PERSONALLY\n  IDENTIFIABLE INFORMATION BUT\n     COULD IMPROVE CERTAIN\n INFORMATION SECURITY CONTROLS\n\n    Inquiries about this report may be addressed to the Office of Public Affairs at\n                             Public.Affairs@oig.hhs.gov.\n\n\n\n\n                                                  Daniel R. Levinson\n                                                   Inspector General\n\n                                                    September 2014\n                                                     A-18-14-30011\n\x0c                        Office of Inspector General\n                                         https://oig.hhs.gov\n\n\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as amended, is\nto protect the integrity of the Department of Health and Human Services (HHS) programs, as well as the\nhealth and welfare of beneficiaries served by those programs. This statutory mission is carried out\nthrough a nationwide network of audits, investigations, and inspections conducted by the following\noperating components:\n\nOffice of Audit Services\n\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting audits with\nits own audit resources or by overseeing audit work done by others. Audits examine the performance of\nHHS programs and/or its grantees and contractors in carrying out their respective responsibilities and are\nintended to provide independent assessments of HHS programs and operations. These assessments help\nreduce waste, abuse, and mismanagement and promote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS, Congress,\nand the public with timely, useful, and reliable information on significant issues. These evaluations focus\non preventing fraud, waste, or abuse and promoting economy, efficiency, and effectiveness of\ndepartmental programs. To promote impact, OEI reports also present practical recommendations for\nimproving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations of fraud and\nmisconduct related to HHS programs, operations, and beneficiaries. With investigators working in all 50\nStates and the District of Columbia, OI utilizes its resources by actively coordinating with the Department\nof Justice and other Federal, State, and local law enforcement authorities. The investigative efforts of OI\noften lead to criminal convictions, administrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG, rendering\nadvice and opinions on HHS programs and operations and providing all legal support for OIG\xe2\x80\x99s internal\noperations. OCIG represents OIG in all civil and administrative fraud and abuse cases involving HHS\nprograms, including False Claims Act, program exclusion, and civil monetary penalty cases. In\nconnection with these cases, OCIG also negotiates and monitors corporate integrity agreements. OCIG\nrenders advisory opinions, issues compliance program guidance, publishes fraud alerts, and provides\nother guidance to the health care industry concerning the anti-kickback statute and other OIG enforcement\nauthorities.\n\x0c                         Notices\n\n\n    THIS REPORT IS AVAILABLE TO THE PUBLIC\n              at https://oig.hhs.gov\n\n Section 8L of the Inspector General Act, 5 U.S.C. App., requires\n that OIG post its publicly available reports on the OIG Web site.\n\nOFFICE OF AUDIT SERVICES FINDINGS AND OPINIONS\n\n The designation of financial or management practices as\n questionable, a recommendation for the disallowance of costs\n incurred or claimed, and any other conclusions and\n recommendations in this report represent the findings and\n opinions of OAS. Authorized officials of the HHS operating\n divisions will make final determination on these matters.\n\x0cThis summary report provides an overview of the results of three reviews of the security of\ncertain information technology at the Federal, Kentucky, and New Mexico Health Insurance\nMarketplaces. These reviews generally examined whether information security controls were\nimplemented in accordance with relevant Federal requirements and guidance and whether\nvulnerabilities identified by prior assessments were remediated in a timely manner.\n\nAlthough the Centers for Medicare & Medicaid Services (CMS) had implemented controls to\nsecure Healthcare.gov and consumer personally identifiable information (PII) on the Federal\nMarketplace, we identified areas for improvement in its information security controls. Kentucky\nhad sufficiently protected PII on its Marketplace Web sites and databases in accordance with\nFederal requirements. However, opportunities to improve the Kentucky Marketplace\xe2\x80\x99s database\naccess and information security controls remain. Although New Mexico management had\nimplemented security controls, policies, and procedures to prevent vulnerabilities in its Web site,\ndatabase, and supporting information systems, its information technology policies and\nprocedures did not always conform to Federal requirements to secure sensitive information\nstored and processed by the New Mexico Marketplace.\n\nThis summary does not include specific details of the vulnerabilities that we identified because\nof the sensitive nature of the information. We have provided more detailed information and\nrecommendations to officials of the three Marketplaces so the issues we identified could be\nappropriately addressed. Part I of this summary provides general background information; Part\nII summarizes the findings and recommendations of each individual Marketplace review, as well\nas the responses of the Marketplaces to our findings and recommendations.\n\nOn September 4, 2014, CMS issued a statement regarding an intrusion on a server that supports\ntesting of Healthcare.gov but does not contain consumer personal information. The intrusion\noccurred after the period of our audit and involved technology outside our audit scope.\n\n                                   PART I: BACKGROUND\nOIG INFORMATION SYSTEM SECURITY OVERSIGHT\n\nWeb sites and database systems that are not secured properly create vulnerabilities that could be\nexploited by unauthorized persons to compromise the confidentiality of PII or other sensitive\ndata. The integrity of data and systems is a priority for the Office of Inspector General (OIG),\nand we continually list it as one of the top management challenges facing the U.S. Department of\nHealth and Human Services (Department). In previous work, OIG identified vulnerabilities in a\nvariety of information systems controls, including implementation of requirements and guidance\non information security controls, access controls, and configuration management controls, which\nmight have led to unauthorized access to and disclosure of sensitive information or disruption of\ncritical operations. Since the Marketplaces handle consumers\xe2\x80\x99 PII, security of the Marketplaces\xe2\x80\x99\ndata and systems is vital.\n\n\n\n\nHealth Insurance Marketplaces Could Improve Certain Information Security Controls (A-18-14-30011)   1\n\x0cHEALTH INSURANCE MARKETPLACES\n\nThe Marketplaces, also known as the Health Insurance Exchanges, include Federal, State, and\nPartnership Marketplaces, each of which must implement and successfully operate a complex set\nof program requirements. Individuals use the Marketplaces to get information about their health\ninsurance options, be assessed for eligibility for enrollment in a health plan and for financial\nassistance programs, and enroll in the health plan of their choice.\n\nUnder the Affordable Care Act (ACA), States have the option of establishing either a State-run\nMarketplace (State Marketplace), in which the State is responsible for core Marketplace\nfunctions, or a State-partnership marketplace (Partnership Marketplace), in which the\nDepartment and the State share responsibilities for core functions. 1 ACA requires the Federal\nGovernment to operate a Federally Facilitated Marketplace (FFM) in States that elect not to\noperate a State or Partnership Marketplace. CMS operates the FFM, known as Healthcare.gov,\nand works with States on the operation of State and Partnership Marketplaces. In addition to\nproviding for Marketplaces for individual insurance, ACA provides for the establishment of\nSmall Business Health Options Program (SHOP) Marketplaces to help businesses provide health\ninsurance for their employees. 2\n\nEffective operation of the Marketplaces requires rapid, accurate, and secure integration of data\nfrom numerous Federal and State sources and from individuals who use the Marketplaces. It\nalso requires an established, large-scale means of communication among many Federal and State\nsystems.\n\nDATA AND SYSTEMS SECURITY\n\nFederal Regulations To Protect Personally Identifiable Information\n\nOn March 27, 2012, CMS issued a final rule, 3 codified at 45 CFR parts 155, 156, and 157,\nproviding that a Marketplace may not create, collect, use, or disclose any PII needed to perform\nminimum functions unless it does so in a manner consistent with Federal privacy and security\nstandards. The final rule established additional requirements, including standards related to (1)\nmonitoring, periodically assessing, and updating security controls and (2) developing and using\nsecure electronic interfaces. On August 30, 2013, CMS issued a final rule, 4 codified at 45 CFR\nparts 147, 153, 155, and 156, that established standards for health insurance issuers participating\non the Marketplaces. The final rule established standards to protect and secure the individuals\xe2\x80\x99\nPII.\n\nPrivacy and Security Requirements\n\nFederal regulations require that the Department oversee the Marketplaces and non-Exchange\n(non-Marketplace) entities that are required to comply with the privacy and security standards\n\n1\n  P.L. 111-148, section 1321 (42 USC 18041).\n2\n  ACA \xc2\xa71311(b)(1)(B).\n3\n  77 Fed. Reg. 18310 (March 27, 2012).\n4\n  78 Fed. Reg. 54070 (August 30, 2013).\n\n\nHealth Insurance Marketplaces Could Improve Certain Information Security Controls (A-18-14-30011)     2\n\x0cestablished and implemented by each Marketplace. These privacy and security standards, found\nat 45 CFR \xc2\xa7\xc2\xa7 155.260 and 155.280, are based on the following principles:\n\n      \xe2\x80\xa2    Individual access. Individuals should be able to access and obtain their PII easily and in\n           a readable format.\n\n      \xe2\x80\xa2    Correction. Individuals should be able to dispute the accuracy or integrity of their PII in\n           a timely manner and to have erroneous information corrected or to have a dispute\n           documented if their requests for correction are denied.\n\n      \xe2\x80\xa2    Openness and transparency. There should be openness and transparency about policies,\n           procedures, and technologies that directly affect individuals or their PII.\n\n      \xe2\x80\xa2    Individual choice. Individuals should be able to make informed decisions about the\n           collection, use, and disclosure of their PII.\n\n      \xe2\x80\xa2    Collection, use, and disclosure limitations. PII should be created, collected, used, and\n           disclosed only to the extent necessary to accomplish specified purposes and never to\n           discriminate.\n\n      \xe2\x80\xa2    Data quality and integrity. Persons and entities should take reasonable steps to ensure\n           that PII is complete, accurate, and up to date to the extent necessary for the person\xe2\x80\x99s or\n           entity\xe2\x80\x99s intended purpose and that it has not been altered or destroyed in an unauthorized\n           manner.\n\n      \xe2\x80\xa2    Safeguards. PII should be protected with reasonable operational, administrative,\n           technical, and physical safeguards to ensure its confidentiality, integrity, and availability\n           and to prevent unauthorized or inappropriate access, use, or disclosure.\n\n      \xe2\x80\xa2    Accountability. These principles should be implemented, and adherence assured, through\n           appropriate monitoring and other means, and there should be methods to report and\n           mitigate nonadherence and breaches.\n\nProtecting and ensuring the confidentiality, integrity, and availability of Marketplace enrollment\ninformation and information systems is the responsibility of the Marketplaces. To facilitate\ncompliance with the security requirements for the Marketplaces (Federal, State, and Partnership),\nCMS developed the Minimum Acceptable Risk Standards for Exchanges\xe2\x80\x94Exchange Reference\nArchitecture Supplement (MARS-E), 5 which defines minimum standards for acceptable security\nrisk. MARS-E outlines specific security controls, policies, and procedures that protect the\nconfidentiality, integrity, and availability of a system and its information.\n\nThe National Institute of Standards and Technology (NIST) is responsible for developing\ninformation security standards and guidelines, including minimum requirements for Federal\ninformation systems. CMS incorporated NIST guidelines into MARS-E.\n\n5\n    Version 1, August 1, 2012.\n\n\nHealth Insurance Marketplaces Could Improve Certain Information Security Controls (A-18-14-30011)          3\n\x0cSecurity controls are the safeguards and countermeasures that are designed to protect the\nconfidentiality, integrity, and availability of information that is processed, stored, and transmitted\nby information systems. Security controls describe the specific capability or function a system\nneeds to protect a particular aspect of the system from unauthorized use. Controls often\nsafeguard the system from potential future vulnerabilities or remediate current vulnerabilities.\nVulnerabilities can range from a flaw or weakness in a system\xe2\x80\x99s security procedures (e.g.,\noutdated system security plans), design (e.g., erroneous computer code), implementation (e.g.,\nmissing critical patches 6), or internal controls (e.g., failing to perform routine virus scans) that\ncould result, accidentally or intentionally, in a security breach or the violation of an\norganization\xe2\x80\x99s security policy.\n\nAll information systems face vulnerabilities, and complex systems operate at a certain level of\nrisk. Not all vulnerabilities lead to security breaches or high threat risks. An organization\xe2\x80\x99s\ninformation systems security staff should employ risk management processes to identify\nvulnerabilities, assess the level of risk a particular vulnerability presents to the overall security of\nthe system, and devise and implement an action plan to correct the vulnerability on the basis of\nthe determined level of risk. Vulnerabilities identified as high risk should be corrected as soon\nas possible because of their potentially severe or catastrophic impact on the system in case of a\nbreach. Even if a high level of risk has been identified, the system may continue to operate while\nimmediate action is taken. The detection of system vulnerabilities does not necessarily mean a\nsystem is not safe. A soundly engineered and secure system, coupled with a rigorous risk\nmanagement and mitigation process, is the best way to operate a safe system.\n\nMethodology\n\nVarious methods exist to determine whether a system is operating securely. Our reviews\nincluded determining the adequacy of the information security general controls and performing or\nreviewing results of vulnerability scans of Web applications and databases.\n\nReview of Information Security General Controls. The primary objectives of general controls are\nto safeguard data, protect computer application programs, prevent unauthorized access to system\nsoftware, and ensure continued operations in case of unexpected interruptions. Reviewing an\norganization\xe2\x80\x99s written policies and procedures, including its systems security plan, can help to\nidentify ineffective policies and procedures to reduce risk that could jeopardize an organization\xe2\x80\x99s\nmission, information, and information technology assets. System security plans should include\nupdated policies and procedures related to regular security testing to measure compliance in\nareas such as patch management, password policy, and configuration management; incident\ndetection, reporting, and response processes, including conducting regular risk assessments; and\nmaintaining proper documentation.\n\nWeb Application Vulnerability Scan. Web application vulnerability scans identify potential\nsecurity vulnerabilities in the Web application and architectural design. Scanners simulate an\noutside malicious attack on the system and may identify system vulnerabilities that could put a\n\n6\n Patches are additional pieces of computer code developed by software vendors to address problems (commonly\ncalled bugs) found in software.\n\n\nHealth Insurance Marketplaces Could Improve Certain Information Security Controls (A-18-14-30011)             4\n\x0csystem\xe2\x80\x99s security at risk. Scanners use the same techniques as hackers, so the scanners test the\nsecurity from an outside perspective.\n\nDatabase Vulnerability Scan. Database vulnerability scans identify potential security\nvulnerabilities in a system\xe2\x80\x99s databases that store sensitive information, including PII. Scanners\nsimulate an outside malicious attack on the system and may identify system vulnerabilities that\ncould put a system\xe2\x80\x99s security at risk. Scans allow security assessors to determine how effectively\nthe data are being protected.\n\nOBJECTIVE AND LIMITATIONS\n\nThe objective of our reviews was to determine whether the selected Marketplaces had protected\nthe sensitive information processed and stored by the Web sites, databases, and supporting\ninformation systems. We reviewed the implementation of certain controls supporting the\nsecurity of the Marketplaces\xe2\x80\x99 Web sites and supporting databases. We did not review the\nsystems\xe2\x80\x99 overall internal controls and did not determine whether the overall systems were secure.\n\nThe findings listed in this summary document reflect a point in time regarding system security\nand may have changed since we reviewed these systems. Our State reviews are not projectable\nto other States.\n\nWe conducted these performance audits in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audits to obtain\nsufficient appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives.\n\nFUTURE OIG WORK\n\nWe will issue a series of reports on the Marketplaces\xe2\x80\x99 data and system security for the current and\nfuture Marketplace stages. Reports on the FFM and the State Marketplaces of New Mexico and\nKentucky are the first three in this series. We are also following up on the implementation of\nrecommendations made in these reports by CMS and the State Marketplaces.\n\n\n\n\nHealth Insurance Marketplaces Could Improve Certain Information Security Controls (A-18-14-30011)   5\n\x0c                          PART II: SUMMARIES OF REPORTS\n\nCMS\xe2\x80\x99S HEALTHCARE.GOV WEB SITE\n\nBACKGROUND\n\nThe FFM operates through CMS\xe2\x80\x99s Healthcare.gov Web site. Healthcare.gov also serves as a\ngateway for consumers to reach State Marketplaces.\n\nHOW WE CONDUCTED THIS REVIEW\n\nWe reviewed information security controls and completed a Web application vulnerability scan\nof Healthcare.gov. We conducted our overall audit work from February to June 2014, including\nvulnerability scans and simulated attacks in April and May.\n\nScope\n\nWe focused our audit on information security controls over certain operations and systems that\nsupport the FFM\xe2\x80\x99s Web site and the FFM database servers containing PII. 7 We also reviewed\nCMS\xe2\x80\x99s information security policies and procedures. We reviewed contractor reports related to\nprior vulnerability scans of the FFM and its supporting databases, assessed whether CMS has\nfully addressed and remediated the vulnerabilities found, and conducted a Web site vulnerability\nscan 8 using a commercial automated Web site vulnerability scanner and other open source tools.\nWe limited our review of controls to those that were in effect at the time of our audit.\n\nMethodology\n\nTo accomplish our objective, we:\n\n    \xe2\x80\xa2   reviewed applicable Federal requirements,\n\n    \xe2\x80\xa2   interviewed CMS officials responsible for monitoring the FFM to help determine whether\n        CMS complied with Federal requirements,\n\n    \xe2\x80\xa2   reviewed CMS staff and contractor documentation to determine whether it complied with\n        Federal requirements,\n\n    \xe2\x80\xa2   conducted Web site vulnerability scanning and simulated attacks against Healthcare.gov\n        during April and May 2014,\n\n\n7\n  We did not review any systems outside the FFM that contain consumer information. The Department also stores\nsome consumer information in a system (Multidimensional Insurance Data Analytics System (MIDAS)) that resides\noutside Healthcare.gov. We will be conducting an information technology security review of this system.\n8\n  Our Web site scan covered only Healthcare.gov, the public interface for consumer enrollment and eligibility.\n\n\nHealth Insurance Marketplaces Could Improve Certain Information Security Controls (A-18-14-30011)            6\n\x0c    \xe2\x80\xa2    reviewed CMS security control assessment reports and vulnerability scan reports related\n         to the FFM and supporting databases to determine whether findings had been tracked and\n         vulnerabilities remediated,\n\n    \xe2\x80\xa2    interviewed CMS staff and contractors about their procedures for securing the FFM, and\n\n    \xe2\x80\xa2    discussed our testing procedures and findings with CMS.\n\nWHAT WE FOUND\n\nSince the launch of Healthcare.gov on October 1, 2013, CMS has taken actions to lower the\nsecurity risks associated with Healthcare.gov systems and consumer PII, including, but not\nlimited to:\n\n    \xe2\x80\xa2    establishing a dedicated security team under the Chief Information Officer to monitor and\n         track corrective action plans for vulnerabilities and ensure they are completed,\n\n    \xe2\x80\xa2    performing weekly vulnerability scans of FFM-related systems, and\n\n    \xe2\x80\xa2    completing two security control assessments of the FFM.\n\nAlthough CMS had implemented controls to secure Healthcare.gov and consumer PII data, we\nidentified areas for improvement. At the time of our review, CMS had not:\n\n    \xe2\x80\xa2    implemented a process to use automated tools to test database security configuration\n         settings on all of its supporting databases,\n\n    \xe2\x80\xa2    implemented an effective enterprise scanning tool to test for Web site vulnerabilities,\n\n    \xe2\x80\xa2    maintained adequate documentation to verify that a finding from one of its FFM security\n         control assessment reports related to a database property file containing user credentials\n         had been sufficiently closed by encrypting the file with a Federal Information Processing\n         Standard (FIPS) 140-2-approved cryptographic module, and\n\n    \xe2\x80\xa2    detected and defended against our Web site vulnerability scanning and simulated cyber\n         attacks directed at the Healthcare.gov Web site.\n\nThe Web application vulnerability scanning that we conducted revealed one critical vulnerability\nin Healthcare.gov, which we confirmed with CMS. 9 CMS stated that it was aware of the\nvulnerability and had developed a corrective action plan with a scheduled completion date of\nJune 30, 2014. Therefore, the vulnerability had not been fully remediated at the time we\n9\n  The Web scanning tool describes the relative severity of a vulnerability as follows: critical\xe2\x80\x94an attacker\xe2\x80\x99s ability\nto execute commands on the server or retrieve and modify information; high\xe2\x80\x94a hacker\xe2\x80\x99s ability to view source\ncode, files, and messages; medium\xe2\x80\x94issues that could be sensitive; and low\xe2\x80\x94interesting issues or issues that could\npotentially become more severe.\n\n\n\nHealth Insurance Marketplaces Could Improve Certain Information Security Controls (A-18-14-30011)                       7\n\x0cperformed our vulnerability scan. Subsequently, CMS informed us that the recommended\nremediation was implemented to resolve the vulnerability. We provided the results from the\nWeb site vulnerability scans to CMS so it could analyze the results and start any necessary\nremediation actions. After our audit, CMS provided written information explaining the steps it\ntook to remediate the vulnerability.\n\nWith respect to our review of CMS\xe2\x80\x99 server vulnerability scan reports related to the FFM\ndatabases, we determined that although CMS was taking action to remediate the vulnerabilities\nidentified in those reports, it had not fully remediated two critical vulnerabilities. CMS\nexplained that it had developed a corrective action plan to resolve the two critical vulnerabilities;\nhowever, the vulnerabilities had not yet been fully remediated during our audit. CMS was\nworking with its contractor to schedule a date to remediate one of the two vulnerabilities, and\nafter our audit, CMS stated it had fully remediated the second critical vulnerability. These\ncritical vulnerabilities placed the confidentiality, integrity, and availability of PII at risk and\ncould have allowed unauthorized access to consumer PII.\n\nWHAT WE RECOMMENDED\n\nTo ensure that consumer PII data entered on Healthcare.gov is secure and protected, we\nrecommended that CMS management address the findings we identified.\n\nCMS COMMENTS AND OIG RESPONSE\n\nIn written comments, CMS concurred with all of our recommendations and described the actions\nit has taken and plans to take to implement them. However, CMS stated that it did not believe\nthat the finding and recommendation related to encrypting files using an encryption module that\nhas been FIPS 140-2 validated should be included because the actions it has taken to resolve the\nissue were sufficient. Although CMS had implemented controls to mitigate risks related to the\nfinding, we did not receive supporting documentation to verify FIPS 140-2 compliance during\nour audit and remain concerned about CMS\xe2\x80\x99s use of encryption modules that are not FIPS 140-2\nvalidated. Therefore, we did not change our recommendation.\n\n\n\n\nHealth Insurance Marketplaces Could Improve Certain Information Security Controls (A-18-14-30011)   8\n\x0cKENTUCKY HEALTH BENEFIT EXCHANGE\nBACKGROUND\n\nThe Commonwealth of Kentucky operates a State Marketplace for individuals and small\nbusinesses. As of April 21, 2014, the Kentucky Health Benefit Exchange (KHBE) had processed\n478,718 applications for approximately 610,891 individuals 10 and 628 employers to enroll\n413,410 Kentucky residents in new health coverage, including 330,615 who qualified for\nMedicaid coverage and 82,795 who purchased private insurance under the ACA. 11\n\nHOW WE CONDUCTED THIS REVIEW\n\nWe reviewed information security controls, completed a Web application vulnerability scan, and\ncompleted a database vulnerability scan of KHBE. We performed our fieldwork at the\nCommonwealth\xe2\x80\x99s offices in Frankfort, Kentucky, from April to May 2014.\n\nScope\n\nWe reviewed the Commonwealth policies, procedures, and controls in place as of April 2014.\nWe limited our review to certain CMS MARS-E requirements and NIST guidelines. These\nrequirements, safeguards, and standards included these topics:\n\n       \xe2\x80\xa2   security plan,\n\n       \xe2\x80\xa2   risk assessment,\n\n       \xe2\x80\xa2   vulnerability scanning,\n\n       \xe2\x80\xa2   penetration testing,\n\n       \xe2\x80\xa2   patch management and flaw remediation,\n\n       \xe2\x80\xa2   plan of action and milestones (POA&M), and\n\n       \xe2\x80\xa2   incident response.\n\nWe focused our review on the Commonwealth\xe2\x80\x99s KHBE Web sites, databases, and supporting\nsystems. We did not review the Commonwealth\xe2\x80\x99s internal controls as a whole.\n\n\n\n\n10\n     An application may contain one or more individuals.\n11\n     http://governor.ky.gov/healthierky/Pages/default.aspx. Accessed on April 30, 2014.\n\n\nHealth Insurance Marketplaces Could Improve Certain Information Security Controls (A-18-14-30011)   9\n\x0cMethodology\n\nTo accomplish our objectives, we assessed the KHBE:\n\n    \xe2\x80\xa2   policies and procedures;\n\n    \xe2\x80\xa2   system security plan;\n\n    \xe2\x80\xa2   risk assessment;\n\n    \xe2\x80\xa2   network boundaries and connections with other agencies;\n\n    \xe2\x80\xa2   encryption methods used to protect data on and between Web sites and databases;\n\n    \xe2\x80\xa2   capabilities for identifying vulnerabilities;\n\n    \xe2\x80\xa2   patch management process for operating systems, Web servers, and software;\n\n    \xe2\x80\xa2   Web sites and databases using automated audit tools; and\n\n    \xe2\x80\xa2   vulnerability scans between August 2013 and March 2014.\n\nWe judgmentally selected for review:\n\n    \xe2\x80\xa2   KHBE\xe2\x80\x99s security incident related to PII that was reported to the Commonwealth\xe2\x80\x99s Office\n        of Technology,\n\n    \xe2\x80\xa2   the 6 databases that contained KHBE data,\n\n    \xe2\x80\xa2   KHBE\xe2\x80\x99s 2 Web sites for vulnerabilities assessment, and\n\n    \xe2\x80\xa2   all 95 servers used for KHBE that contained Marketplace data.\n\nWHAT WE FOUND\n\nThe Commonwealth had sufficiently protected PII on its KHBE Web sites and databases in\naccordance with Federal requirements. In general, the Commonwealth, using encryption,\nsecured individuals\xe2\x80\x99 PII as it was entered into the Commonwealth\xe2\x80\x99s KHBE Web sites and while\nit was stored within the Commonwealth\xe2\x80\x99s database or during transmission. However,\nopportunities to improve KHBE database access and information security controls remain.\nSpecifically, the Commonwealth had not sufficiently restricted user and group access to\nauthorized roles and functions and had not sufficiently addressed Federal requirements for its\nsystem security planning, risk assessment, penetration testing and flaw remediation, POA&M,\nand incident response capability.\n\n\n\n\nHealth Insurance Marketplaces Could Improve Certain Information Security Controls (A-18-14-30011)   10\n\x0cThese conditions existed because the Commonwealth was transitioning its information\ntechnology responsibilities among agencies and had not sufficiently established coordination\nbetween them. In addition, at the time of our review, the Commonwealth agencies supporting\nthe KHBE had not sufficiently implemented certain policies and procedures to meet Federal\nrequirements. As a result, the PII on 478,718 applications for approximately 610,891 individuals\nand 628 employers was at a greater risk of being exploited.\n\nWHAT WE RECOMMENDED\n\nWe recommended that Commonwealth management address the findings we identified.\n\nCOMMONWEALTH COMMENTS AND OIG RESPONSE\n\nIn its comments, the Commonwealth concurred with most of our recommendations and partially\nconcurred with one recommendation. Although the Commonwealth partially concurred with our\nrecommendation to limit access to its databases by restricting access to certain roles and\nfunctions, it stated that it would further explore the risks and determine whether it needed to\nrestrict that access further. In a separate comment, the Commonwealth said that it concurred\nwith our recommendation to perform penetration testing and asserted that it had \xe2\x80\x9cperformed\nregular vulnerability and penetration [testing] for every major release.\xe2\x80\x9d\n\nRestricting database access to those with certain roles and functions increases the level of overall\nsecurity for PII. Regarding the Commonwealth comment on penetration testing, although the\nCommonwealth had performed vulnerability assessments on KHBE-related applications, it had\nnot performed external network penetration testing per Federal requirements. To clarify,\nvulnerability assessments are used to search for weaknesses or exposures, and penetration testing\nis used to attempt to gain access to resources without knowledge of usernames, passwords, or\nother normal means of controlling access.\n\n\n\n\nHealth Insurance Marketplaces Could Improve Certain Information Security Controls (A-18-14-30011)   11\n\x0cNEW MEXICO HEALTH INSURANCE EXCHANGE\nBACKGROUND\n\nThe New Mexico Health Insurance Exchange (NMHIX) is a partnership exchange and operates\nits own Marketplace Web site, nmhix.com. NMHIX operates a SHOP, which enrolls small\nbusinesses, but directs individuals to enroll through the FFM for health insurance.\n\nHOW WE CONDUCTED THIS REVIEW\n\nWe reviewed information security controls, completed a Web application vulnerability scan, and\ncompleted a database vulnerability scan of NMHIX. We conducted our audit work during\nMarch 2014.\n\nScope\n\nWe focused our audit on NMHIX\xe2\x80\x99s Web site, database, and other supporting information\nsystems. We reviewed NMHIX\xe2\x80\x99s implementation of CMS minimum information security\nrequirements for State health insurance exchanges and NIST guidelines within the following\ninformation technology operational areas: wireless network administration, Universal Serial Bus\nport and device management, mobile device management, data encryption, remote access, patch\nmanagement, Web applications, and database applications. We limited our review to these\nsecurity control areas and to controls that were in place at the time of our site visit. We did not\nreview NMHIX\xe2\x80\x99s internal controls as a whole.\n\nMethodology\n\nTo accomplish our objective, we:\n\n    \xe2\x80\xa2   reviewed applicable Federal and State requirements, NIST recommendations, and\n        industry best practices;\n\n    \xe2\x80\xa2   interviewed appropriate computer operations personnel responsible for information\n        security;\n\n    \xe2\x80\xa2   judgmentally selected systems and tested their hardware and software configurations;\n\n    \xe2\x80\xa2   analyzed system configuration reports for potential network vulnerabilities, such as\n        incomplete patching;\n\n    \xe2\x80\xa2   performed wireless scans (without capturing or reading data);\n\n    \xe2\x80\xa2   performed a Web application vulnerability scan on the NMHIX Web site;\n\n    \xe2\x80\xa2   performed a database vulnerability scan on the NMHIX database; and\n\n\nHealth Insurance Marketplaces Could Improve Certain Information Security Controls (A-18-14-30011)   12\n\x0c     \xe2\x80\xa2   discussed our findings with NMHIX management.\n\nWHAT WE FOUND\n\nAlthough NMHIX had implemented security controls, policies, and procedures to prevent\nvulnerabilities in its Web site, database, and supporting information systems, NMHIX\xe2\x80\x99s\ninformation technology policies and procedures did not always conform to Federal information\ntechnology requirements and NIST recommendations to secure sensitive information stored and\nprocessed by NMHIX. These vulnerabilities placed consumer data collected on the NMHIX\nWeb site at risk.\n\nSpecifically, our audit identified the following vulnerabilities:\n\n     \xe2\x80\xa2   one data encryption vulnerability,\n\n     \xe2\x80\xa2   two remote access vulnerabilities,\n\n     \xe2\x80\xa2   one patch management vulnerability, and\n\n     \xe2\x80\xa2   one Universal Serial Bus port and device vulnerability.\n\nIn addition, our Web application vulnerability scan of the NMHIX Web site revealed 64\nvulnerabilities. The tool we used for the scan classified the vulnerabilities as critical (2),\nhigh (2), medium (4), and low (56). We described the definitions for the severity of the\nvulnerabilities in footnote 9.\n\nOur database vulnerability scan of the NMHIX database, which stores all sensitive user data,\nrevealed 74 vulnerabilities. The tool we used for the scan classified the vulnerabilities as high\n(1), medium (44), and low (29). 12\n\nThe vulnerabilities we identified placed the confidentiality, integrity, and availability of NMHIX\ninformation at risk and could have allowed unauthorized access to sensitive consumer data.\n\nWHAT WE RECOMMENDED\n\nWe recommended that NMHIX management address the vulnerabilities we identified.\n\n\n\n\n12\n  The database scanning tool describes the relative severity of a vulnerability as follows: high\xe2\x80\x94typically allows a\nnonprivileged user or nonuser to potentially gain full, unauthorized access to or crash the application, database, or\nsystem; medium\xe2\x80\x94typically allows a limited-privileged user to potentially gain unauthorized access to or crash the\napplication, database, or system; and low\xe2\x80\x94typically allows a privileged user to potentially gain unauthorized access\nto or crash the application, database, or system.\n\n\nHealth Insurance Marketplaces Could Improve Certain Information Security Controls (A-18-14-30011)                  13\n\x0cNEW MEXICO HEALTH INSURANCE EXCHANGE COMMENTS AND OIG\nRESPONSE\n\nIn written comments, NMHIX concurred with all of our recommendations and described the\nactions it had taken and plans to take to implement them.\n\n\n\n\nHealth Insurance Marketplaces Could Improve Certain Information Security Controls (A-18-14-30011)   14\n\x0c'